What we do with your information

Short version: we read your submission, reply to you, and keep it on a secure database. When your case is ready to move, the on-the-ground filing in Italy is handled by a qualified specialist there, and we share your details with them only after you give us the go-ahead. We never sell your information to advertisers or data brokers. The longer version is below — written in plain English because you should be able to tell what happens to your family details without a lawyer.
Information current as of June 2026.

What we collect

When you submit the eligibility form we ask for, and keep, exactly these fields:

  • First name — to address you in the reply.
  • Email address — so we can send the assessment back.
  • Your family story (free-text) — names, places, approximate dates of the Italian-born ancestor.

Alongside the submission, we also store technical context to detect spam and understand which channels bring real people:

  • Marketing attribution — UTM parameters and Google Ads click ID (gclid), if present.
  • Referrer — the page that linked you here, if your browser sends it.
  • Browser user-agent — the standard string browsers report (no fingerprinting beyond that).
  • Hashed IP — a one-way SHA-256 hash truncated to 16 characters; we cannot recover the original address. Used only to flag suspicious patterns.

We do not ask for, and do not store, payment information or government documents at this stage.

Where it lives

Submissions are stored in a Postgres database hosted by Supabase in the European Union (Frankfurt region). Connections are encrypted in transit (TLS) and the database is encrypted at rest by the provider. Direct read or write access from the public internet is blocked at the row level; only our server can insert new rows, using a private service-role key that is never exposed to your browser.

How we use it

  • To read your case and email you a written assessment.
  • To qualify your case and, when it is ready to move, arrange for the on-the-ground filing in Italy to be handled by a qualified specialist there.
  • To improve our copy and pages (which keywords brought you here, did the page load).
  • To detect spam and automated submissions.

We never sell your data to advertisers or data brokers, and we do not use it for ad retargeting.

Who else sees it

We use a small number of third-party services to operate Patria Citizenship, and the on-the-ground filing in Italy is handled by a qualified specialist there once your case is qualified. Each only sees the data it needs:

  • Render — hosts the website; sees server logs (IP, user-agent) for security and operations.
  • Supabase — stores submissions (as above).
  • Resend — sends the assessment email back to you (sees recipient address and message body) only if you submitted the form.
  • Google Analytics 4 & Google Ads — see anonymized page-view and click data to measure traffic and campaign performance (see "Cookies & analytics" below).
  • A qualified specialist in Italy — the specialist handling the on-the-ground filing sees your name, contact details, and family story, only with your explicit consent, given for that specialist by name. Until you say yes, they see at most an anonymized case summary with no name or contact details in it.

None of them may use your data for their own marketing. The specialist receives your details for one purpose: handling your citizenship case.

Cookies & analytics

We use Google Analytics 4 and Google Ads tagging to understand which marketing channels bring real visitors. These services set first-party cookies (typical names like _ga, _gid, _gcl_au) and collect:

  • Page views and scroll behavior
  • Approximate geographic region (country/city level, from IP)
  • Device type and browser
  • How you arrived (referrer, ad click)

You can opt out via your browser's privacy controls, a tracking blocker, or the official Google Analytics opt-out add-on.

How long we keep it

Submissions are kept until you ask us to delete them, or for up to 24 months after our last reply — whichever comes first. After that, the row is removed from the production database. Backups age out within 30 days.

Your rights

If you are in the EU, EEA, or UK, the GDPR gives you the right to:

  • Access the data we hold about you.
  • Correct anything that is wrong.
  • Have it deleted.
  • Receive a copy in a portable format.
  • Restrict or object to certain processing.
  • Withdraw any consent you have given — including consent to share your details with the specialist handling your case — at any time.
  • Lodge a complaint with your national data-protection authority.

Residents of California (CCPA/CPRA) and similar US-state regimes have parallel rights: to know, delete, correct, and opt out of any "sale" or "sharing." We never sell your data to advertisers or data brokers, and we do not share it for cross-context advertising. Your details reach the specialist handling your case only when you tell us to send them, and you can withdraw that instruction at any time.

To exercise any of these rights, email us (see below) or simply reply to any Patria Citizenship message you have received. We respond within 30 days and will not ask for anything beyond what is needed to verify your request.

Contact

For privacy questions, deletion requests, or anything else about your data:
hello@patriacitizenship.com

Patria Citizenship is a U.S.-based service in pilot phase. This policy will be updated as the service grows; the "as of" date at the top reflects the current version.

← Back to home · Check my case